When an application goes out and discovers all the devices on a network, and then sends the information back to some kind of asset management system, how does that work? I understand when there is an EXE file or other program that is run on PCs and servers through some kind of script. But how does software that is not running on devices find out detailed information about the devices?

3 Answers
3

Most "discovery" software uses SNMP to locate devices. Some of this software does "fingerprinting" using various methods (banner message identification, TCP/IP stack fingerprinting, look-up on MAC OID) to gain more information. Assuming you give the "discovery" the necessary security credentials, it could use WMI to gather information from Windows machines.

I suspect that the main thing you're curious about is ultimately SNMP. You can look up the Wikipedia link, so I won't post it here. If you leave the community names on your gear set to defaults (typically "public" for the read community), it may seem rather magical that software can seem to "learn" things about the devices. Actually, it's just querying a documented interface.

But how does software that is not
running on devices find out detailed
information about the devices?

Actually, SNMP is running on these systems. That's how information is passed to your monitoring software. SNMP is an accepted standard of device information sharing. The monitoring program looks at your devices (during discovery) then attempts to connect to the SNMP service on each device. Once connect the monitoring software uses a small set of commands: SET, GET, GETNEXT, etc. to query the MIB of the device.

It's through repeated queries that graphs are built on the monitoring application. The monitoring application (Zenoss, Munin, Nagios, SCOM, etc.) uses a database and reporting structure to track and alert based on your settings.

There are many ways of doing this. As well as SNMP, which has been mentioned in a previous answer, there are protocols such as CDP (in cisco networks) and LLDP (similar to CDP but multi-vendor. Doesn't have widespread support in equipment yet) which will allow network devices to detect devices connected to them which can then be queried by methods such as SNMP or logging in to the device.

One example of where CDP can be used to suppliment SNMP discovery is in a switched network. If you simply walk the ARP table of the switch to find all of its neighbours you will only discover devices which have recently sent or recieved IP traffic. In a pure L2 switch network there will not be much (if any) inter-switch IP traffic and so this table will be incomplete. Similarly, if you walk the MAC address table of the switch you will only discover devices over forwarding links. CDP discover neighbor switches even if there is no IP traffic and will also detect neighbours on ports in blocking status so this will allow you to discover all links.

There are also tools such as nmap which will sweep a range of addresses and can perform some diagnostics on the replies recieved to guess at the operating system of the device.

Most methods are not fully automatic and will require the definition of a number of "seed" hosts to start the discovery from.

I don't think I suggested that it could in my answer. My intention was to state that protocols such as CDP and LLDP can allow a discovery application to gather more information about network topology. I have used several network discovery tools which make use of CDP information when walking the network.
–
Russell HeillingJun 19 '09 at 14:36

I have updated my answer with information on where I have seen supplimenting SNMP with CDP to be useful.
–
Russell HeillingJun 19 '09 at 15:11